Back to School: Is Your Network Ready?

Colleges and universities are increasingly targeted for cyberattacks. Unfortunately, many higher education institutions have been unable to keep pace with the constantly evolving threat landscape, leaving networks and sensitive information vulnerable to exploitation. As attacks become more sophisticated and universities continue to move their operations and data to the cloud, the potential risks and consequences of data breaches increase.

As your students return to campus this fall, how can you be sure your networks are protected? Below are some common controls and security tools that can be deployed:

1. Network Segmentation: Dividing the campus networks using VLANs so if an attacker does gain access to one network, they will be unable to move laterally and compromise additional systems and/or sensitive data.
2. Firewalls: Implementing firewalls at entry and exit points to monitor and filter incoming and outgoing traffic based on security policies.
3. Intrusion Detection and Prevention Systems (IDS/IPS): Installing IDS/IPS systems to detect and prevent malicious activities.
4. Network Monitoring: Deploying network monitoring tools to identify unusual behavior and detect potential threats.
5. Anti-Malware/Anti-Virus Protection: Deploying anti-malware software on endpoints and servers to detect and remove malicious software.
6. Data Loss Prevention (DLP): Implementing DLP solutions to monitor and prevent unauthorized transmission or exfiltration of sensitive data.
7. Data Encryption: Using encryption to protect sensitive data in transit and to safeguard data at rest.
8. Patch Management: Regularly applying security patches and updates to network devices and systems to address vulnerabilities and protect against known threats.
9. Security Information and Event Management (SIEM): Deploying SIEM solutions to centralize log collection and analysis.
10. Virtual Private Networks (VPNs): Providing secure remote access to the campus network. It is also important to ensure that all devices used for remote access are up to date with the latest security patches and updates.

However, once these standard tools and practices are in place, how are organizations taking security a step further and “testing” their preventative measures? Or if your teams do not have adequate funding and/or resources to deploy the necessary technology, how can you more accurately identify the risk, likelihood, and potential impact of a breach within your organization? Some possible activities your team may not have considered in your security roadmap include:

• Internal Network Penetration Testing

  Network penetration testing doesn’t simply identify potential vulnerabilities, but rather goes a step further to actively and manually exploit any vulnerabilities and demonstrate the attack vectors that could potentially be used to access your organization’s systems. Internal testing can ensure an attacker with access to the student or guest network, or who gains access to a student or faculty account, is not able to move laterally into other university networks and gain unauthorized access to university systems and data.

  If resources are limited, you can target your testing to those areas that touch sensitive data (think PHI, research data, student financial aid info, etc.). Arming your team with a penetration test report that details open holes or security gaps allows you to more quickly address high risk areas that may have a larger breach impact, and prioritize plans to address lower risk items in your longer term security strategy. A well-conducted pen test will also provide evidence to demonstrate the value of your current security tools and gain support for increased security investments where tools may be lacking.

• Wireless Network Penetration Testing

  Wireless testing can be performed to identify any rogue access points, assess authentication, and identify gaps in the security and design of your organization’s wireless network. Testing can also identify any available non-standard wireless networks (by evaluating wireless SSIDs), which may allow employees to circumvent access controls and network security. You can also verify device compliance and ensure only trusted devices are connecting to the network.

• Endpoint Device Testing

  Unmanaged remote endpoints can be a significant risk to an organization. With unpatched software vulnerabilities such a common attack vector for cybercriminals, this responsibility should not fall to the end users who may be accessing your network on workstations, laptops, smart phones, etc., as there are too many opportunities for error. Central IT can deploy tools to ensure all software is secured and up to date, and manage anti-virus/anti-malware software to actively identify and mitigate known threats.

  In order to verify the ongoing security of employee workstations and laptops, it is a good practice to test and review the image of an organizational device that has been in use for a year (especially if used remotely) and compare that to a newly configured device. This will give you the information to determine how effective has your organization been at enforcing secure configurations and ensuring devices are patched and updated, and correct any deficiencies.

• Physical Security Penetration Testing

  A physical penetration test is an authorized attack against a physical location or locations on campus. The overall objective is to evaluate physical buildings, identify potential vulnerable methods of entry, exploit flaws and exfiltrate sensitive data or equipment. By performing attempts similar to those of a malicious actor, testers can attempt to clone access cards, gain access to external doors using under door tool hacks, and steal keys and door cards left unattended. These tests are valuable in ensuring unauthorized individuals would not be able to gain access to secure network equipment rooms, wiring closets, or data centers.

• Bypassing Multi-Factor Authentication (MFA)

  Most organizations have taken steps to implement multi-factor authentication for their users, which has led cyber attackers to develop new methods in order to circumvent MFA. A penetration test engagement targeted at your MFA system can help identify any potential system misconfigurations or security risks. Social engineering techniques are used, including email phishing and password spraying to compromise logon credentials. Once the initial credentials are gathered, attackers can then attempt to trick compromised users into accepting unsolicited MFA notifications. Voice phishing (vishing) attacks are also used against Help Desk or Call Center employees, in an attempt to trick them into believing the caller is an authorized user and acquire bypass codes to circumvent MFA altogether for a compromised account. This is a great way to ensure your Help Desk employees always follow outlined procedures and are not a weakness in your security plan.

Securing campus networks and infrastructure requires a multi-faceted approach that includes both technology solutions, awareness training, and ongoing security audits and testing.

Additional feedback from our RedLens InfoSec Manager:

Wheeler: It is very common for institutions to complete projects or implement major changes during the summer and before school starts in the fall. It is important to understand that no matter how much planning we do, no matter how well implementation goes, testing should be performed to identify if there were security risks introduced or misconfigurations that were not realized. Trust but verify.